CMMC Compliance Levels in CMMC 2.0

last changes 03/25/2026

Table of Contents

CMMC Compliance Levels

Due to the changes made between the original CMMC 1.x model and the current CMMC Program, many companies still refer to the three levels as CMMC Compliance Levels or CMMC Certification Levels. The official rules now speak more precisely in terms of CMMC Levels, assessment types, and CMMC Status, but the practical question remains the same: which level applies to your company?

If you are wondering which of the now three CMMC Compliance Levels your company will be required to conform with, the required CMMC level and assessment type will be stated in the solicitation and contract. As a subcontractor, your prime contractor will typically flow the applicable requirement down to you where needed. Most organizations will ultimately need Level 1 or Level 2 compliance.

As a general rule:

  • The current DFARS rule excludes solicitations and contracts solely for the acquisition of commercially available off-the-shelf (COTS) items from the CMMC clause.
  • If your company will receive exclusively Federal Contract Information (FCI) under the contract, then you will generally need a CMMC Level 1 implementation and an annual self-assessment with annual affirmation.
  • However, if your organization will receive Controlled Unclassified Information (CUI) in addition, then CMMC Level 2 will be required as a minimum. At this level, the solicitation will determine whether your organization must complete a Level 2 self-assessment or a Level 2 certification assessment by a C3PAO. In either case, Level 2 assessments are valid for three years, with annual affirmations required in between.

Overview

The main purpose of the CMMC model is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the DoD through acquisition programs. The type of information (FCI vs CUI) an organization handles determines the CMMC compliance level it will need to achieve.

Under the current CMMC Compliance Rules, there are only three CMMC compliance levels. Compared to the earlier CMMC 1.0 model, the five-level structure was streamlined down to three levels to simplify the program.

The Three CMMC Compliance Levels in CMMC 2.13

 

CMMC Level 1 Requirements (Foundational):

CMMC Level 1 is the base level of compliance and consists of practices that correspond to basic safeguarding requirements in Federal Acquisition Regulation clause FAR 52.204-21. This lowest level consists of 15 basic cybersecurity requirements, including foundational practices such as identity and authentication and basic access control.

Level 1 is focused on protecting Federal Contract Information (FCI) and will generally apply where a contractor handles FCI but not CUI, other than contracts solely for the acquisition of COTS items. In terms of the underlying requirements, there have been no substantive changes from the prior Level 1 baseline in CMMC 1.02.

Under CMMC Level 1, there is no third-party certification assessment. Instead, the contractor is required to conduct a self-assessment annually. These self-assessments must be accompanied by an annual affirmation by the company’s Affirming Official in SPRS. This company official will be accountbale under the False Claims Act.

CMMC Level 2 Requirements (Advanced):

At CMMC Level 2 the focus is on protecting CUI,  fleshing out the base security practices established in Level 1, and increasing the overall security of the organization.

CMMC Level 2 requires compliance with the 110 security requirements in NIST SP 800-171 Rev. 2 with its 320 assessment objectives. In practical terms, this is the same core security baseline that DoD contractors handling CUI have already been expected to implement under DFARS 252.204-7012, with CMMC only adding the formal assessment and status framework around it.

If your organization handles CUI, you should expect CMMC Level 2 to be the minimum requirement in most cases. That is why Level 2 will likely be one of the most commonly required CMMC Compliance Levels for companies in the defense industrial base. This is what the vast majority of our clients face.

When it comes to assessments, CMMC Level 2 is split:

  • Some contracts will require a Level 2 self-assessment. In those cases, the organization performs its own assessment in accordance with the CMMC requirements, uploads the results to SPRS, and provides annual affirmations.
  • Other contracts will require a Level 2 certification assessment by a CMMC Third-Party Assessment Organization (C3PAO). C3PAOs are authorized assessment organizations accredited by the Cyber AB (former CMMC-AB) that conduct the independent Level 2 certification assessments required by those solicitations. The majority of the contracts will requires such a C3PAO certification.

For both Level 2 assessment paths, the assessment cycle is every three years, with an annual affirmation required in between. Initially, limited use of POA&Ms is allowed at Level 2. A contractor can receive a Conditional Level 2 status if it meets the minimum passing score and closes the permitted open items within 180 days. The current minimum passing score for Level 2 is 88 out of 110, subject to the rule’s scoring methodology and restrictions on which requirements may remain open.

CMMC Level 2 is a considerable step up from Level 1, which affects both timeline and cost. For most organizations, Level 2 readiness involves much more work around scoping, documentation, technical implementation, evidence collection, and ongoing maintenance.

For an overview of the CMMC implementation process with time estimates for a CMMC Level 2 implementation see here.

CMMC Level 3 Requirements (Expert):

CMMC Level 3 is the highest level in the current program and is expected to apply only to a small subset of contractors supporting the most sensitive programs. The focus at this level shifts to improving an organization’s ability to protect CUI against more advanced threats, including advanced persistent threats (APTs).

CMMC Level 3 requires an organization to implement 24 selected enhanced security requirements from NIST SP 800-172, in addition to the Level 2 baseline. These requirements are more advanced and more demanding to implement and sustain than the Level 2 requirements.

Organizations pursuing Level 3 must first achieve Final Level 2 (C3PAO) for the same assessment scope. On top of that Level 2 baseline, DCMA DIBCAC then assesses the additional Level 3 requirements. Level 3 assessments are required every three years, with annual affirmations required thereafter.

How to Become CMMC Compliant:

Ecuron is a CMMC Registered Provider Organization

As a CMMC Registered Practitioner Organization™ (CMMC-RPO), Ecuron can provide pre-assessment and readiness support, including services such as CMMC gap analysis, CMMC implementation help, and CMMC pre-assessment support. RPOs provide consulting and implementation support, but they do not conduct certified CMMC assessments.

We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:

  1. CMMC Gap Analysis / CMMC Gap Assessment
    See where your organization stands and what it takes to achieve compliance
  2. CMMC Implementation Help
    Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls  and any missing requirements. This includes developing and writing the extensive documentation required.
  3. CMMC Pre-Assessment
    Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. Once we are confident that you are ready for the CMMC Assessment we will recommend to schedule the actual audit.
  4. CMMC Assessment Support
    If you are required to become assessed by a 3rd party, we help you prepare for the final CMMC assessment, gather & organize evidence for a smooth assessment by the C3PAO. We will be at your side throughout the process.

For a general overview of the CMMC compliance process and rough time estimates see this flowchart.

If you would like to speak to our team to discuss your CMMC requirements and schedule a complimentary 15-30 min consultation, email us at cmmc@ecuron.com or give us a call.

 

Join Our CMMC Notification List

Sign up below and we will notify you about CMMC related news, updates, and services.

We’d Love to Talk About Your Cybersecurity Strategy.

- None of the information you provide in the form below will be used for marketing purposes -